Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

With OpenHack 4, eWeek Labs and a group of technology providers are again entering the security ring to test enterprise systems fortitude under real-world conditions.

Each of the past three OpenHack tests was a challenge to hackers to take down an e-business Web site built, secured and monitored using common enterprise applications—and a unique opportunity to test these applications in the process (see story). With the OpenHack 4 test site, were focusing on an area thats becoming increasingly problem-prone: application security.

Although every Web application is different, the basic techniques for securing them are the same: Input query string and HTTP form post parameters must be validated; code that generates HTML must guard against cross-site scripting attacks; code that accesses a database needs to prevent SQL injection attacks; and the database itself needs to be hardened against the applications (and their potential vulnerabilities) accessing it.

Further reading

However, making sure that all this happens with every variable, page and parameter in an application is challenging, to say the least. OpenHack 4 is intended not only as a test of development techniques and applications themselves but also as a demonstration of how to program defensively and how to provide multiple interlocking layers of security.

In building the OpenHack site, we provided two major systems software vendors—Microsoft Corp. and Oracle Corp.—with a Web-based production application developed by eWeek Labs. We asked each vendor to recode the application using the security practices recommended for their platforms.

Microsoft and Oracle deployed and secured the applications on their choice of hardware, operating system, application server and database. Each company was responsible for the security configuration of its servers.

Both the Microsoft and Oracle applications are up now at www.openhack.com, and we invite crackers from around the world to prove their "l33t skillz" (elite programming skills in hacker-speak) for the fun, challenge, public recognition and prize money. These prizes will be awarded for the successful completion of any of five separate penetration tasks. These represent successively more serious breaches of security: a cross-site scripting attack, a dynamic Web page source code disclosure, a Web page defacement, a SQL injection attack and theft of credit card data from the database. Denial-of-service attacks dont count and wont be credited. (See graphic for more details.)

We feel confident, based on the coding and hardening thats been done, that none of these attacks is possible, and we hope this test will improve our current OpenHack record of one win and two losses.

However, the first person to prove to eWeek Labs that he or she has succeeded at any crack wins for that category of attack. Only one prize will be awarded for each successful attack, and no hacks other than the ones described will merit prize money. We will acknowledge any interesting cracks, though, and their potential danger to enterprise security.

eWeek Labs, working with Oracle and Microsoft staffs, will fix security problems as we find them ourselves or learn about them from attackers.

A major goal of OpenHack is to provide eWeek readers with information that will help them keep their sites more secure. Full details of the OpenHack site configuration and test updates will be available at www.openhack.com and www.eweek.com/openhack. (Based on past experience, the OpenHack site will be under heavy load for the first few days of the test, so the eWeek site will provide a second communication channel). After completion of the test, source code will also be made available.

Those developing dynamic Web applications on either Microsoft or Oracle software will be able to cross-check our setup against their own configurations. The security techniques used are also general enough that they will apply to any organization developing Web applications that access database content. The Microsoft test application can be directly accessed at https://www.ms.openhack.com/default.aspx; the Oracle test application can be directly accessed at https://www.oracle.openhack.com/openhack/index.jsp.

As the test proceeds, well be watching the logs and intrusion detection reports the way an owl watches for mice (or perhaps, given the attacks we might get, the way mice watch for owls).

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.